Questions have been raised over the effectiveness of the federal government’s approach to cyber security, with unenforced mandatory rules creating ‘patchwork’ resilience across the Commonwealth.
In a parliamentary committee hearing into cyber resilience on Thursday, representatives from the National Archives of Australia (NAA) and Treasury called for better coordination and more funding to address problem areas.
It follows an audit of the two agencies and Geoscience Australia last year, which found only Treasury had implemented all four of the Australian Signals Directorate’s (ASD) top four cyber mitigations strategies.
But the audit was only a snapshot of what is now being described as a systemic issue across the Australian Public Service, with only four of 14 government entities (29 percent) found to be compliant with the top four in audits over the last four years.
More widely, in the last full count of compliance with the ASD’s mandatory information security controls, almost forty percent of agencies were struggling to fully-implement the top four in one way or another.
This is despite the top four becoming mandatory close to six years ago, and having since been replaced with a new baseline for cyber security, the Essential Eight.
It has led the Australian National Audit Office to recommend changes to the current framework to strengthen compliance.
While there has been major improvements by some Canberra’s largest agencies since the audits began, NAA director-general David Fricker told the committee he was concerned about the ability of small and micro sized agencies to achieve compliance.
“Self-assessment and reliance on individual agencies, each with an uneven capability and uneven technical knowledge, means we’re not going to achieve a consistent resilience across the Commonwealth,” he said.
“There are always going to be agencies among us that represent the weakest link in the chain.”
He described the issue as “a weakness built into [the] system”, which was only continuing to be amplified in what is a "very fast moving threat environment".
“I think we still have a vulnerability in our system, we have a patchwork approach to cyber reliance across the Commonwealth,” he said.
“We’re all interconnected. Each one of us has the possibility to infect the network of another and I think this is an issue we all have to collectively address.”
Asked by Labor MP Gai Brodtmann whether there was a need for ASD or the Australian Cyber Security Centre to step in and assist agencies, Fricker said “any access to external, more specialised profession advice would be most welcomed”.
“I do think for a matter as serious as this, the ability to tap into someone who is property briefed, who has adequate security clearances, who has got the authority to access all areas of our network, access the information they need - I think the availability of a resource like that would be of immense value,” Fricker said.
“I think that capability would be greatly appreciated, certainly in agencies like the National Archives of Australia.”
His comments echo that of Nigel Phair, director of UNSW Canberra Cyber, who told iTnews last year that there was a need for ASD to give smaller agencies a helping hand.
However, Treasury’s corporate services and business strategy group, Matt Flavel, was more circumspect, suggesting a nuanced approach that leverages cyber security expertise within agency portfolios to get results.
Other options included “more money for agencies to go out and hire cyber security professionals” or a “more centralised approach” that used ASD more sparingly.
“Is their [ASD’s] role the to go in and ensure compliance or is it just to go help [agencies] assess where they’re at and what things they might need to do?” he said.
Geoscience’s suspicious file
The hearing also heard that a suspicious file had sat on Geoscience Australia’s network for months before it was identified and removed.
Under questioning from Labor MP Julian Hill about whether the agency had been hacked before, the agency’s boss James Johnson told the committee the “single executable file” had been placed some time during 2017.
While he said the file “hadn’t actually developed into a major problem”, it had resided in the system for “some months” before being identified by ASD.
“There was a time lag between when [the file was] placed, and when [it was] identified,” he said.
“It was identified for us by ASD and we acted accordingly to rectify that.”
A spokesperson told iTnews the agency had worked with ASD in October 2016 to “undertake forensic analysis in relation to potentially suspicious network traffic detected at Geoscience Australia’s secure internet gateway”.
“Remediation activities were undertaken by Geoscience Australia’s ICT Security personnel, removing the potential threat from the environment, “ the spokesperson said.
“Final analysis of the incident was completed in November 2016 that identified no adverse impact occurred.
“Work continued with the Australian Signals Directorate in 2017 to better understand network vulnerabilities and avenues for potential cyber attack.”
Last year the agency was found to be highly exposed to cyber-attack in the audit subject to the inquiry, with none of the top four cyber mitigations in place.
It has now kicked off a program of work to implement all the government’s mandatory and non-mandatory cyber security requirements by June 2020.